cbcvebase.
CVE-2007-5779
published 2007-11-01

CVE-2007-5779: Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player (GOM Player) 2.1.6.3499 allows remote…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.51%
99.3th percentile
Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player (GOM Player) 2.1.6.3499 allows remote attackers to execute arbitrary code via a long argument to the OpenUrl method.

Affected

2 ranges
VendorProductVersion rangeFixed in
gom_playergom_player
gomlabgom_media_player<= 2.1.36.5083

Detection & IOCsextracted from sources · hover to see the quote

filenameGomWeb3.dll
commandOpenURL(<overly long string>)
bytes
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36
bytes
%67%31%41%7e
  • Exploit triggers a stack buffer overflow at offset 506 bytes into the OpenURL() argument; monitor ActiveX method calls to GomWeb3.dll where the OpenURL argument length exceeds 506 characters.
  • The PoC exploit constructs the malicious buffer as 506 'A' characters + EIP overwrite + NOP sled + shellcode; detect strings of 506+ repeated characters passed to GomManager.OpenURL in browser script.
  • The return address used for Windows XP SP2 English is 0x7e497c7b (JMP ESP in a system DLL); use this as a ROP/return address indicator in memory forensics or exploit detection.
  • Payload bad characters for this exploit are null byte, tab, LF, CR, single-quote, and backslash; encoded shellcode in exploit traffic will avoid these bytes.
  • The Metasploit module uses a StackAdjustment of -3500, which is an unusual ESP manipulation value that may appear in memory analysis of exploited processes.
  • ·The confirmed vulnerable version is GOM Player 2.1.6.3499 with GomWeb3.dll version 1.0.0.12 only; other versions are not confirmed affected.
  • ·The Metasploit module's return address (0x7e497c7b) is specific to Windows XP SP2 Pro English; exploitation against other OS versions or service packs requires a different return address.
  • ·The Metasploit module payload space is limited to 800 bytes; shellcode exceeding this size will not fit in the exploit buffer.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.